As wireless networks become an increasingly indispensable part of our personal and professional lives, securing these communication systems becomes increasingly important. The wireless communications used in wireless networks present potential security vulnerability. Specifically, an eavesdropper can overhear transmissions that are intended for another node in the network. In wireless networks, cryptography can be used to ensure that only authorized nodes are able to read the data contained in received transmissions. That is to say, cryptography can be used to ensure the confidentiality of sensitive data, even when malicious eavesdroppers are present in the network.
Cryptography is the art and science of keeping data secure. In a wireless network, an encryption method operating at a data source can transform a data sequence into a secret using an encryption key. In the parlance of cryptography, the original data sequence is the plaintext and the secret is the ciphertext. Upon reception of the ciphertext, a decryption process operating at an authorized destination node transforms the ciphertext back into the original data sequence using a decryption key. The security of an encryption process is typically measured by the amount of computational resources that an eavesdropper must expend to obtain the plaintext from the ciphertext if that eavesdropper does not possess the decryption key. For example, an encryption process is said to be 80-bit secure if an eavesdropper requires at least 280 computing operations to recover the plaintext. Examples of cryptographic techniques include one-time pads, symmetric key algorithms, public key algorithms, and key derivation functions.
A one-time pad is a common, random string of bits that is shared by the source and authorized destination of a data sequence. For example, the one-time pad might be the 32-bit sequence:p={1,1,0,1,1,0,0,1,1,1,0,1,1,0,1,0,0,1,1,1,1,0,1,1,1,1,1,0,1,0,1,0}.When the source wishes to transmit a 32-bit data sequence d to the intended destination,d={1,0,0,1,1,0,1,0,0,0,1,1,0,0,0,1,1,1,0,1,1,0,0,0,1,0,1,0,1,0,1,1},it computes the exclusive or (XOR) of each bit of the data sequence d and each bit of the one-time pad p to produce the ciphertext c:c=p⊕d={0,1,0,0,0,0,1,1,1,1,1,0,1,0,1,1,1,0,1,0,0,0,1,1,0,1,0,0,0,0,0,1}.Since XORing with the same binary value twice restores the original value, the destination recovers the data sequence by computing:p⊕c=p⊕p⊕d=d  Equation (1)If an eavesdropper obtains the first bit of the ciphertext but does not know the first bit of the one-time pad, then it cannot distinguish whether the first bit of the data sequence was a 1 or a 0 because both 0⊕0=0 and 1⊕1=0. In this case, the best an eavesdropper can do is to randomly guess whether than bit is a 0 or a 1. More generally, the best an eavesdropper can do is guess the value of each of the 32 bits in the data sequence. This scheme is therefore 32-bit secure.
One-time pads are a type of symmetric key algorithm. The term “symmetric” is used to indicate that the same key is used for encryption and for decryption. The Advanced Encryption Standard (AES) is a sophisticated symmetric key algorithm that is used in many commercial and military wireless networks. The encryption and decryption processes in symmetric key algorithms are typically very computationally efficient.
Public key algorithms are designed so that the encryption key and decryption key are different, but mathematically linked. In a public key algorithm, a node will typically generate a random string of bits and derive an encryptiondecryption key pair from that random string. The encryption key is made publically available to the other nodes while the decryption key remains private. The cryptographic strength of a public key algorithm lies in the computational difficulty of determining a private key from the corresponding public key. The RSA Algorithm—which is named after its inventors Ron Rivest, Adi Shamir, and Leonard Adleman—is a widely used public key algorithm. The encryption and decryption processes in public key algorithms are generally much more computationally complex than those in symmetric key algorithms.
In many applications, it is desirable to be able to generate multiple temporary keys from an underlying persistent key. In such applications, the temporary keys are called “session keys” while the persistent keys are called “master keys”. A master key, for example, may be generated based on deterministic random bit generators (DRBG), also known as a pseudorandom number generator. In another example, the master key may be generated using a non-deterministic random bit generator. A key derivation function (KDF) is the mathematical tool used to generate a session key from a master key and some other input (e.g., a unique identifier for the session). In an embodiment, a KDF φ( ) may produce an output key sj,i that is a function of the input key kj and the session identifier i:sj,i←φ(kj,i)  Equation (2)The cryptographic strength of a KDF lies in the computational difficulty of determining a master key from the corresponding session key. A common KDF that is typically used is the hash-based message authentication code (HMAC).
Relying solely on symmetric key algorithms is often undesirable in a wireless network. For example, consider a military use case where every soldier in a squadron is given a radio that is pre-loaded with a common symmetric key prior to a mission. If, during the course of the mission, one of those radios falls into enemy hands, then all future intra-squad communications could be compromised. Owing to the relative complexity of public key encryption and decryption, however, relying solely on public key algorithms is also often undesirable. Many wireless networks therefore employ the following combination of public and symmetric key algorithms for secure communications between pairs of nodes:                A source node “Alice” transmits a plaintext message to a destination node “Bob” indicating that she wishes to initiate a secure unicast session with him.        Bob generates a public/private key pair for the public key algorithm and transmits his public key to Alice as plaintext.        Alice generates a session key for the symmetric key algorithm, encrypts it using Bob's public key, and transmits the session key as ciphertext to Bob.        Bob uses his private key to decrypt the received ciphertext, thereby recovering the plaintext session key.        Alice and Bob now share a common cryptographic key that can be used for encryption and decryption via the symmetric key algorithm.        
In many wireless networking scenarios it is insufficient to provide only for secure unicast communications. For example, the data traffic in military wireless networks is generally encrypted and is often multicast in nature—i.e., it is transmitted from one source to many destinations simultaneously. The procedure outlined above for secure unicast communications can be generalized to secure multicast communications as follows:                Alice transmits a plaintext message to the T multicast destinations indicating that she wishes to initiate a secure multicast session.        Each of the T destinations generates a unique public/private key pair for the public key algorithm and transmits its unique public key to Alice as plaintext.        Alice generates a session key for the symmetric key algorithm.        Alice encrypts and transmits the session key to each of the T destinations separately using the corresponding public keys.        Each destination uses its unique private key to decrypt the ciphertext message that it receives, thereby recovering the plaintext session key.        Alice and all of the destinations now share a common cryptographic key that can be used for encryption and decryption via the symmetric key algorithm.        
Observe that the number of messages required to initiate the secure multicast session grows linearly with the number of destinations T. For large multicast groups, this procedure will therefore be inefficient. Suppose instead that the destination nodes already shared a common random bit string—i.e., a group key. If this were the case, then the secure multicast session could be initiated as follows:                Alice transmits a plaintext message to the T multicast destinations indicating that she wishes to initiate a secure multicast session.        The T destinations generate a common group public/group private key pair from the shared group key.        One of the T destinations transmits the group public key to Alice.        Alice generates a session key, encrypts it using the group public key, and transmits the session key as ciphertext to all destinations simultaneously.        All of the destinations use the common group private key to decrypt the received ciphertext, thereby recovering the plaintext session key.        Alice and all of the destinations now share a common session key that can be used for encryption and decryption via the symmetric key algorithm.        
Comparing the multicast procedures described above, it is clear that provided a group key can be established among T nodes with a number of transmissions that grows sublinearly with T, then the latter procedure will be more efficient than the former in terms of number of transmissions required to establish the session key for a secure multicast session.